b'OFFICE OF INSPECTOR GENERAL\n\n\nAUDIT OF USAID\xe2\x80\x99S\nIMPLEMENTATION OF\nSELECTED HOMELAND\nSECURITY PRESIDENTIAL\nDIRECTIVE 12\nREQUIREMENTS FOR\nPERSONAL IDENTITY\nVERIFICATION OF FEDERAL\nEMPLOYEES AND\nCONTRACTORS\nAUDIT REPORT NO. A-000-08-004-P\nFebruary 06, 2008\n\n\nWASHINGTON, DC\n\x0cOffice of Inspector General\n\n\nFebruary 06, 2008\n\nMEMORANDUM\n\nTO:                  CIO/M, Chief Information Officer, David C. Anewalt\n\nFROM:                IG/A/ITSA, Director, Melinda G. Dempsey /s/\n\nSUBJECT:             Audit of USAID\xe2\x80\x99s Implementation of Selected Homeland Security Presidential\n                     Directive 12 (HSPD-12) Requirements for Personal Identity Verification of Federal\n                     Employees and Contractors (Audit Report No. A-000-08-004-P)\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report on the subject audit. In\nfinalizing the report, we considered your written comments on our draft report and included those\ncomments in their entirety in Appendix II of this report.\n\nThe report contains one recommendation. Based on your response to our draft report, we have\nreached a management decision on the recommendation. Please notify the Bureau for\nManagement\xe2\x80\x99s Audit, Performance and Compliance Division when final action is completed.\n\nI appreciate the cooperation and courtesies extended to my staff during this audit.\n\n\n\ncc: Office of Security, Randy Streufert\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results ......................................................................................................... 1\n\nBackground ....................................................................................................................... 3\n\nAudit Objective .................................................................................................................... 5\n\nAudit Finding ..................................................................................................................... 6\n\n     Implementation Plan Is Needed for HSPD-12............................................................... 7\n\nEvaluation of Management Comments ........................................................................... 12\n\nAppendix I \xe2\x80\x93 Scope and Methodology ............................................................................ 13\n\nAppendix II \xe2\x80\x93 Management Comments ........................................................................... 15\n\x0cSUMMARY OF RESULTS\nHomeland Security Presidential Directive 12 (HSPD-12) requires the development and\nimplementation of a mandatory Governmentwide standard for secure and reliable forms of\nidentification of Federal employees and contractors to access federally controlled facilities\nand information systems. The Office of Inspector General, Information Technology and\nSpecial Audits Division, in Washington, DC, conducted an audit to determine whether\nUSAID addressed selected HSPD-12 requirements 1 from the Office of Management and\nBudget (OMB) and the National Institute of Standards and Technology (NIST) in support\nof Personal Identity Verification (PIV) of Federal employees and contractors. The audit\nassessed USAID\xe2\x80\x99s progress on selected HSPD-12 requirements and milestones due in\ncalendar years 2007 and 2008 (see page 5).\n\nIn support of HSPD-12, OMB outlined the implementation schedule to executive agencies.\nSelected HSPD-12 requirements will be addressed in two phases that incorporate the use\nof various NIST technical requirements. PIV-I requires agencies to develop policies and\nprocedures to verify the personal identities of Federal employees and contractors,\nincluding identity verification for applicants, background checks, and employee\nregistration. PIV-II defines the technical requirements and functions that agencies must\nincorporate into a Federal identity credential. During PIV-II, agencies must demonstrate\ntheir ability to issue new identification cards to all employees and contractors. Employees\nand contractors who started Federal employment since October 2005 are required to\nfollow PIV-I requirements for identity verification. Employees and contractors who started\nFederal employment since October 2006 are required to meet PIV-I requirements and\nreceive identity credentials that conform to PIV-II requirements. Current employees and\ncontractors who started their employment prior to October 2005 are required to have\ncomplete background checks by October 2007 or October 2008, depending on their years\nof service (see page 4).\n\nUSAID\xe2\x80\x99s Office of Security had implemented policies and procedures before the HSPD-12\ninitiative to ensure that USAID employees, contractors, and other Government personnel\nhad adequate background checks or underwent personal security investigations and\nvetting. However, the audit found that USAID did not fully address selected HSPD-12\nrequirements from the Office of Management and Budget and National Institute of\nStandards and Technology in support of Personal Identity Verification. Specifically, USAID\ndid not fully comply with PIV-I requirements because USAID personnel could not identify\nor retrieve all of the identity proofing documents from the Department of State\xe2\x80\x99s (DoS)\nIdentity Management System. USAID also did not meet the OMB PIV-II target date to\nissue new Federal identity credentials to current employees and contractors in 2007, nor\nwill it meet OMB\xe2\x80\x99s 2008 target date based on prior rates of issuance (see page 6).\nSeveral factors contributed to USAID\xe2\x80\x99s inability to meet the PIV-I and PIV-II requirements:\n(1) USAID\xe2\x80\x99s lack of an implementation plan as required by OMB, (2) USAID\xe2\x80\x99s decision not\nto establish HSPD-12 as a higher-priority information technology (IT) investment,\n(3) USAID\xe2\x80\x99s dependence on DoS implementation of HSPD-12, (4) NIST\xe2\x80\x99s evolving\ntechnical requirements, and (5) OMB\xe2\x80\x99s funding constraint on Agency budget requests.\nSome of these factors were external to USAID and thus outside of USAID\xe2\x80\x99s control.\n\n1\n  The requirements selected were based on OMB\xe2\x80\x99s HSPD-12 implementing instructions and are\nshown in table 1 on page 4 of this report.\n\n\n                                                                                           1\n\x0cNonetheless, without a plan to implement HSPD-12 and Agency support to fund HSPD-12\nas a higher-priority IT investment, USAID\xe2\x80\x99s project managers are left with few or no details\nabout how they can best implement HSPD-12. As a result, project managers made ad hoc\ndecisions regarding funding, resources, and technical approaches that may not have been\nrealistic and ultimately may have delayed or prevented the Agency\xe2\x80\x99s implementation of\nthis Governmentwide mandate. If USAID does not implement PIV-I and PIV-II, it may not\nfully realize the critically needed security benefits of PIV, and interoperability among\nFederal agency PIV card programs (one of the major goals of HSPD-12) may not be\nachieved (see pages 7\xe2\x80\x9311).\n\nThis report makes one recommendation to improve USAID\xe2\x80\x99s implementation of HSPD-12\n(see page 11). In response to the draft report, USAID agreed with the audit\nrecommendation, outlined its plans to address the audit recommendation, and provided\nestimated dates when the final action would be completed. Based on an evaluation of the\nAgency\xe2\x80\x99s comments, a management decision has been reached on the recommendation\n(see page 12). USAID\xe2\x80\x99s comments are included in their entirety in appendix II of this report\n(see page 15).\n\n\n\n\n                                                                                          2\n\x0cBACKGROUND\nIn response to terrorist attacks on the United States, the President issued a series of\ninitiatives to increase security across Government agencies. On August 27, 2004, the\nPresident signed Homeland Security Presidential Directive 12 (HSPD-12), which required\nthe development and implementation of a mandatory Governmentwide standard for\nsecure and reliable forms of identification to allow Federal employees and contractors to\ngain physical access to federally controlled facilities and logical access to federally\ncontrolled information systems. The goals of HSPD-12 emphasized security and\ninteroperability among Federal Government agencies and specified that identity\ncredentials would be\xe2\x80\x94\n\n   \xe2\x80\xa2   Issued based on firm criteria to verify an employee\xe2\x80\x99s identity;\n   \xe2\x80\xa2   Strongly resistant to identity fraud, tampering, counterfeiting, and terrorist\n       exploitation;\n   \xe2\x80\xa2   Rapidly authenticated electronically; and\n   \xe2\x80\xa2   Issued only by providers whose reliability had been established.\n\nHSPD-12 assigns responsibility to the Office of Management and Budget (OMB) for\noverseeing executive agencies\xe2\x80\x99 implementation of HSPD-12 and to the National Institute\nof Standards and Technology (NIST) for issuing technical guidance. NIST issued Federal\nInformation Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of\nFederal Employees and Contractors, and other supporting technical publications to help\nexecutive agencies implement HSPD-12\xe2\x80\x99s requirements.\n\nIn August 2005, OMB issued memorandum M-05-24, Implementation of Homeland\nSecurity Presidential Directive (HSPD) 12\xe2\x80\x94Policy for a Common Identification Standard\nfor Federal Employees and Contractors, to executive branch agencies with instructions\nand timeframes to implement selected HSPD-12 requirements. OMB and NIST defined\nHSPD-12\xe2\x80\x99s implementation in two phases: PIV part one (PIV-I) and PIV part two (PIV-II).\nTable 1 summarizes some selected key OMB requirements and timeframes to implement\nselected requirements under PIV-I and PIV-II.\n\n\n\n\n                                                                                        3\n\x0cTable 1. HSPD-12 Selected Requirements and OMB Implementation Deadlines 2\n                                                                    OMB\n                                                               Implementation\n HSPD-12 Selected Requirements                                   Deadlines\n PIV-I\n 1. Initiate national agency check with inquiry (NACI) before\n                                                                  10/27/05\n credential issuance\n 2. Maintain and identify the two types of documents used\n                                                                  10/27/05\n for employee and contractor identity proofing\n 3. Complete background investigations for current\n employees and contractors with fewer than 15 years of            10/27/07\n service\n 4. Complete background investigations for current\n employees and contractors with more than 15 years of             10/27/08\n service\n PIV-II\n 5. Start issuance of identity credentials                        10/27/06\n 6. Issue and require the use of identity credentials for\n current employees and contractors with fewer than 15 years       10/27/07\n of service\n 7. Issue and require the use of identity credentials for\n current employees and contractors with more than 15              10/27/08\n years of service\n 8. Use the credentials\xe2\x80\x99 electronic security features to\n authenticate identities to gain physical access to facilities        *\n 9. Use the credentials\xe2\x80\x99 electronic security features to\n authenticate identities to gain electronic access to                 *\n information systems\n*According to OMB\xe2\x80\x99s HSPD-12 implementation guidance, agencies are not required to complete implementation of all\ncard capabilities on October 27, 2006. Thus, agencies are not expected to have their entire infrastructure installed to\nenable use of the cards at all facilities and systems. However, agencies are expected to make use of the cards using a\nrisk-based approach.\n\n\nPIV-I requires agencies to develop policies and perform specific procedures to ensure that\nthe personal identities of employees and contractors are verified and registered before\nissuing Federal identity credentials. During identity proofing, the applicant is required to\nprovide two forms of identity source documents in original form. The identity source\ndocuments must come from the list of acceptable documents included in Form I-9, OMB\nNo. 1115-0136, Employment Eligibility Verification, and at least one of the documents\nmust be a valid State or Federal government-issued picture identification. Additionally, the\nidentity source documents used for identity proofing must be recorded by the Agency. PIV-\nII provides guidance on technical interoperability requirements, implementation, issuance,\nand use of identity credentials. Current employees and contractors who started their\nemployment prior to October 27, 2005, were required to have complete background\nchecks by October 27, 2007, or October 27, 2008, depending on their years of service.\nHowever, new employees and contractors who started employment since October 27,\n2005, were immediately subject to PIV-I background check requirements for identity\nverification. New employees and contractors who started employment since October 27,\n2006, were immediately subject to both PIV-I and PIV-II requirements.\n2\n    Source: Office of Management and Budget, Memorandum M-05-24, dated August 5, 2005.\n\n\n                                                                                                                     4\n\x0cWhen PIV-II is fully implemented Governmentwide, the holder of an identity credential card\nfrom one agency can be electronically authorized by another agency to access its facilities\nand systems. The identity credentials store encoded data on a credit card\xe2\x80\x93sized card that\nverifies the identity of each cardholder through a card reader. For example, a cardholder\npresents the credential to a card reader at a physical entrance to request access to a\nFederal Government facility. Once the data are read, the card reader sends the\ninformation to an access control system that will either grant or deny access to the\ncardholder. Similarly, when a cardholder presents the credential to a card reader for\nnetwork access at a login screen, the logical access control system validates the\ncardholder\xe2\x80\x99s credential and authenticates the identity of the cardholder before granting\naccess to an information technology (IT) system.\n\nUSAID\xe2\x80\x99s implementation of HSPD-12 is led by personnel within USAID\xe2\x80\x99s Office of the\nChief Information Officer (CIO) and Office of Security (SEC). USAID\xe2\x80\x99s Acting CIO was\ntasked to design, develop, implement, and maintain security access systems, including\nsecurity identification and credentialing for USAID employees and contractors. Under\nUSAID\xe2\x80\x99s Office of the CIO, the Chief Information Security Office was responsible for\nregistering the enrollment of personnel into the identity management system used to issue\ncredentials. USAID\xe2\x80\x99s SEC was responsible for ensuring that USAID employees,\ncontractors, and other Government personnel had or followed appropriate personal\nsecurity background checks. SEC was responsible for credential issuance, maintenance,\nand security for physical access to USAID headquarters.\n\nTo support the HSPD-12 project, USAID\xe2\x80\x99s SEC entered into a 5-year memorandum of\nunderstanding with the Bureau of Diplomatic Security within the Department of State\n(DoS). This interagency agreement enrolled USAID in the DoS Identity Management\nSystem (IDMS), which enabled USAID to issue and renew credentials based on DoS PIV-\nII cards.\n\nDoS is responsible for issuing credentials to USAID employees and contractors assigned\nto overseas posts. As of May 2007, approximately two-thirds of USAID\xe2\x80\x99s total workforce\nwas assigned to overseas posts, with the remaining third located at U.S. headquarters.\n\nAs of April 2007, USAID\xe2\x80\x99s HSPD-12 project team had obligated about $251,000 for the\npurchase of equipment and contractor support to implement HSPD-12. 3\n\nAUDIT OBJECTIVE\nThe Office of Inspector General, Information Technology and Special Audits Division,\nincluded this audit in its fiscal year 2007 audit plan to answer the following question:\n\n       Did USAID address selected requirements from the Office of\n       Management and Budget and the National Institute of Standards and\n       Technology in support of Homeland Security Presidential Directive 12 for\n       Personal Identity Verification of Federal Employees and Contractors?\n\nAppendix I contains a discussion of the audit\xe2\x80\x99s scope and methodology.\n3\n  The Office of the CIO and the Office of Security provided approximately $110,000 and $141,000,\nrespectively.\n\n\n                                                                                              5\n\x0cAUDIT FINDING\nAs shown in table 2 below, USAID did not fully address selected HSPD-12 requirements\nfrom the Office of Management and Budget and National Institute of Standards and\nTechnology in support of Personal Identity Verification.\n\nTable 2. HSPD-12 Selected Requirements, OMB Deadlines and Status of USAID\xe2\x80\x99s\nPlanned Completion Dates (as of May 31, 2007)\n                                                       USAID\xe2\x80\x99s\n                                              OMB     Completion Has USAID Met\n Selected HSPD-12 Requirements               Deadline    Date     Requirement?\n                          4\n Compliance with PIV-I\n 1. Initiate national agency check with 10/27/05       10/26/05         Yes\n inquiry (NACI) investigations prior to\n credential issuance or alternate check\n 2. Maintain and identify the two types of 10/27/05     To Be           No*\n documents used for employee and                      Determined\n contractor identity proofing                           (TBD)\n 3. Complete background investigations for 10/27/07    10/26/05         Yes\n current employees and contractors with\n fewer than 15 years of service\n 4. Complete background investigations for 10/27/08    10/26/05         Yes\n current employees with more than 15\n years of service\n Compliance with PIV-II\n 5. Start issuance of identity credentials   10/27/06  10/27/06         Yes\n 6. Issue and require the use of identity 10/27/07       TBD             No\n credentials for current employees and                           (Estimate ~ 2011\n contractors with fewer than 15 years of                              or later)\n service\n 7. Issue and require the use of identity 10/27/08       TBD             No\n credentials for current employees and                           (Estimate ~2011\n contractors employed with more than 15                               or later)\n years of service\n 8. Use the credentials\xe2\x80\x99 electronic security    **       TBD           No***\n features to authenticate identities to gain\n physical access to facilities\n\n\n\n\n4\n  As required, USAID recognized federally awarded clearances performed by other U.S.\nGovernment agencies.\n\n\n                                                                                  6\n\x0c(Table 2 \xe2\x80\x93 continued from previous page)\n9. Use the credentials\xe2\x80\x99 electronic security                         **               TBD                    No***\nfeatures to authenticate identities to gain\nelectronic access to information systems\n* USAID could neither identify nor retrieve from the Identity Management System the two forms of identification used to\nvet an individual\xe2\x80\x99s identity that were issued a Federal identity credential as required by NIST 201 for 9 out of 20 sampled\nemployees.\n** According to OMB\xe2\x80\x99s HSPD-12 implementation guidance, agencies are not required to complete implementation of all\ncard capabilities on October 27, 2006. Thus, agencies are not expected to have their entire infrastructure installed to\nenable use of the cards at all facilities and systems. However, agencies are expected to make use of the cards using a\nrisk-based approach.\n*** USAID did not develop an implementation plan that included estimated due dates for meeting these requirements.\n\n\n\n\nImplementation Plan Is Needed for HSPD-12\n Summary: USAID did not fully comply with PIV-I requirements because USAID\n personnel could not identify or retrieve all of the identity proofing documents from the\n Department of State\xe2\x80\x99s (DoS) Identity Management System. USAID also did not meet the\n OMB PIV-II target date to issue new Federal identity credentials to current employees\n and contractors in 2007, nor will it meet OMB\xe2\x80\x99s 2008 target date based on prior rates of\n issuance. USAID did not meet the above-noted requirements in OMB Memorandum\n M-05-24 and supporting documents, in part because it did not (1) develop an\n implementation plan in support of HSPD-12 or (2) establish HSPD-12 as a higher-\n priority IT investment. As a result, USAID project managers who are responsible for\n issuing and meeting OMB Federal identity credential deadlines and the requirement to\n use the Federal identity credential to access Federal facilities and information systems\n had few or no details as to how they could best implement these requirements in\n concert with DoS. This led to project managers having to make ad hoc decisions\n regarding funding, resources, and technical approaches that may not have been realistic\n and ultimately may have delayed or prevented the Agency\xe2\x80\x99s implementation of this\n Governmentwide mandate. Therefore, USAID may not fully realize the critically needed\n security benefits of PIV, and more important, interoperability among Federal agency PIV\n card programs (one of the major goals of HSPD-12) may not be achieved.\n\nAs shown in table 2, USAID did not fully comply with PIV-I requirements for credentials\nissued under PIV-II. OMB memorandum M-05-24 directs that PIV-I identity proofing and\nregistration processes must be consistent with NIST guidance and applied to all new\nidentity credentials. This includes the PIV-I requirement to identify or retrieve the two\nsource documents presented for identity proofing of employees and contractors. The two\ndocuments must come from the list of acceptable documents included in Form I-9, OMB\nNo. 1115-0136, Employment Eligibility Verification.\n\nNeither Department of State nor USAID could identify or retrieve from the identity\nmanagement system used by USAID and maintained by the Department of State the two\nidentity source documents used for 9 out of 20 sampled employees. Nor did USAID have\nany other records to provide this information to the OIG when requested. Consequently,\nUSAID could not demonstrate its compliance with the PIV-I requirement. When USAID\xe2\x80\x99s\nproject manager was made aware of this problem, the project manager promptly\ncommunicated it to USAID\xe2\x80\x99s Office of Security and Department of State for resolution.\nBecause USAID is taking steps to address this issue, the Office of Inspector General is not\nmaking a formal recommendation to address this problem at this time.\n\n\n                                                                                                                         7\n\x0cUSAID also did not meet OMB\xe2\x80\x99s 2007 PIV-II target date to issue and use identity\ncredentials for employees and contractors with fewer than 15 years of service, and will not\nmeet OMB\xe2\x80\x99s 2008 target date to issue new identity credentials to current employees and\ncontractors with more than 15 years, based on prior rates of issuance. USAID began\nissuing PIV-II credentials in October 2006. From October 2006 through May 2007, USAID\nissued 497 credentials to its approximately 3,100 employees and contractors at\nheadquarters. This equates to roughly 60 credentials per month. At this rate of issuance,\nUSAID would need more than 3 years to issue credentials for the approximately 2,600\nremaining employees and contractors at headquarters. Consequently, USAID did not meet\nOMB\xe2\x80\x99s October 2007 and based on these rates of issuance will not meet OMB\xe2\x80\x99s 2008\ntarget dates. USAID\xe2\x80\x99s HSPD-12 project team members indicated that resource constraints\nlimited the number of credentials that could be issued.\n\nFurther, USAID officials from the Office of the CIO and the SEC acknowledged that they\ncould not meet OMB\xe2\x80\x99s PIV-II target dates of October 2007 and 2008 for issuance and to\nstart using the credentials\xe2\x80\x99 electronic features to authenticate cardholder identities to\naccess facilities and information systems.\n\nMore important, USAID will not meet the PIV-II requirements because it did not develop an\nimplementation plan. An implementation plan would serve as the Agency\xe2\x80\x99s road map to\nprovide action-oriented direction in defining key milestones, processes, and specifications\nto implement the logical and physical access requirements of HSPD-12. Additionally, it\nwould provide a concept of operation and identify the resources required to support the\nimplementation of HSPD-12\xe2\x80\x99s PIV-II requirements. According to OMB\xe2\x80\x99s instructions for\nimplementing HSPD-12, agencies were required to submit their implementation plans to\nOMB by June 27, 2005.\n\nAlthough USAID did not prepare an implementation plan for OMB that described a\ncomprehensive strategy, the HSPD-12 project team has tried to develop an approach to\nimplement PIV-II and has modified its approach several times since the beginning of the\nHSPD-12 initiative.\n\nThe Agency\xe2\x80\x99s initial approach started with the development of a business case 5 in the fall\nof 2005 for funding in the FY 2007 budget cycle. The project team estimated that about\n$17 million would be required to implement HSPD-12 at headquarters and at 60 overseas\nmissions worldwide. The business case\xe2\x80\x99s acquisition plans presumed that USAID would\npurchase its own Identity Management System (IDMS). In this approach, the acquisition\nplans assumed no DoS participation. USAID officials indicated that this initial approach\nwas changed due to funding limitations in the spring of 2006, when the Agency sought to\nenter into an interagency service agreement with DoS. Under this agreement, DoS would\nbe responsible for producing and issuing identity credentials for USAID employees and\ncontractors. This draft agreement was never formalized and subsequently changed.\n\nNonetheless, USAID entered into a signed agreement to use the DoS IDMS. USAID would\nobtain PIV-II cards from DoS and issue the PIV-II cards as Federal identity credentials to\nUSAID headquarters\xe2\x80\x99 employees and contractors. However, the project team officials\nindicated that DoS would not allow USAID\xe2\x80\x99s facility and IT systems to be connected to its\n\n5\n  A business case is a formal document used to evaluate and justify IT project investment requests\nfrom either the capital investment or operating expense funds.\n\n\n                                                                                                8\n\x0cIDMS. Therefore, the agreement with DoS alone will not address the technical\nrequirements and functions to access facilities and IT systems that USAID must\nincorporate to use the Federal identity credential.\n\nUnder the current approach, three functional components operate independently:\n(1) IDMS, the DoS system that USAID is using to issue and renew PIV identity credentials;\n(2) a system that assigns access privileges for employees and contractors to access\nUSAID\xe2\x80\x99s facilities; and (3) systems that authenticate access privileges for employees and\ncontractors to specific information systems. Even though OMB\xe2\x80\x99s implementation guidance\ndirects agencies to phase in the use of the Federal identity credential capabilities at\nfacilities and systems, USAID\xe2\x80\x99s project team has not addressed how the use of the\nFederal identity credentials will be phased in to integrate these functional components into\na single credential. Specifically, USAID did not develop an implementation plan that\naddressed the integration of these functional components.\n\nAdditionally, USAID\xe2\x80\x99s HSPD-12 project team members indicated that USAID will not meet\nthe PIV-II requirements because of funding constraints. Project managers for HSPD-12\nindicated that the Agency did not restructure its major IT investments to provide additional\nresources to support this Governmentwide initiative because of other competing Agency\nprojects that needed funding.\n\nDespite the lack of total funding for HSPD-12, as of April 2007 the project team had\nobtained $251,000 from the offices of the Chief Information Officer and Office of Security\nto support the HSPD-12 project, which included the service agreement with DoS,\ncontractor support, and equipment purchases used to enroll applicants and issue\ncredentials. Subsequent to the OIG\xe2\x80\x99s fieldwork, the Agency provided additional funds for\nfiscal years 2008 and 2009. Therefore, the Office of Inspector General is not making a\nrecommendation regarding the project\xe2\x80\x99s funding.\n\nDuring the audit, three external factors were also identified as reasons USAID had not met\nthe PIV-II requirements. First, USAID\xe2\x80\x99s employees and contractors working in overseas\nposts rely on DoS regional security officers for identity credentials; however, PIV-II identity\ncredentials cannot be issued until DoS deploys its new credentials to its overseas posts.\nAs of May 2007, DoS estimated that deployment of its new credentials will not be\ncompleted until 2011 or later\xe2\x80\x94at a minimum, more than 3 years past OMB\xe2\x80\x99s schedule.\nSecond, NIST continued to issue various technical requirements after OMB issued its\nimplementing instructions to executive agencies. For example, several months before and\nafter agencies were to start compliance with PIV-II in October 2006, key publications\nneeded to implement the technical requirement provisions of FIPS 201 were revised and\nreissued. Thus, agencies did not have sufficient time to test and acquire compliant\nproducts within OMB required timeframes. Figure 1 on the next page illustrates when\nNIST issued FIPS 201 and subsequent technical publications and guidance in relation to\nthe signing of HSPD-12 and OMB\xe2\x80\x99s instructions to agencies.\n\n\n\n\n                                                                                             9\n\x0cFigure 1. Time Line of FIPS 201 and Related Activities (as of August 2007)\n                                                 OMB implementation guidance\n        800-79 Certification and Accreditation\n                                                 NIST designated labs to conduct\n        of PIV Issuing Organizations\n                                                 PIV conformance testing           800-96 PIV Card/Reader\n           Agencies submitted\n                                                                                     Begin PIV II compliance\n           Implementation plans to OMB\n                                                      800-85B PIV Data Mode\n                                                                                           800-76-1 Biometric Data\n       800-78 Cryptographic Algorithms\n       and Key Sizes for PIV                        800-85A PIV Application                     800-87 Codes for\n                                                    and Middleware                              Identification\n               800-73 issued guidance\n                                                                                                       800-104\n               On Interfaces for PIV               800-73-1 Interface\n                                                                                                       PIV Topography\n                                                   for PIV\n                                                  FIPS 201-1 issued\n                                                                                                            800-78-1\n                  FIPS 201 issued                                                                           Cryptographic\n                                                     Begin PIV I                                             Key Sizes\n  HSPD-12 signed                                     compliance                                             for PIV\n\n J FM AM J J A S O N D J FM AM J J A S O N D                  J FM AM J J A S O N D J FM AM J J A S O N D\n        2004                             2005                            2006                   2007\n\n\nThird, OMB initially announced to agencies that no additional funding would be provided to\nimplement the requirements of HSPD-12. OMB expected agencies to fund HSPD-12\nthrough existing funds. OMB anticipated that agencies would restructure their major\ninvestments to pay for HSPD-12. Moreover, because all Federal agencies have existing\nbackground investigation, access control, and identification credential activities, OMB\nanticipated that these activities, and the funding used to support them, would be used to\nsupport HSPD-12 activities.\n\nAlthough these factors are external to USAID and important, the Office of Inspector\nGeneral is not making any recommendations to address them in this report.\n\n\nCONCLUSION\n\nAlthough some challenges and dependencies remain outside USAID\xe2\x80\x99s control and prevent\nit from addressing and obtaining full compliance with PIV-I and PIV-II requirements within\nOMB\xe2\x80\x99s stipulated completion target dates, USAID can make improvements, such as\ndeveloping a plan, to advance the implementation of HSPD-12. Without an implementation\nplan, project managers who are responsible for implementing the physical and logical\naccess requirements mandated in PIV-II are left with few or no details about how they can\nbest implement these requirements in concert with the DoS IDMS system. This situation\nleads project managers to make ad hoc decisions regarding funding, resources, and\ntechnical approaches that may not be realistic and may delay or prevent the Agency\xe2\x80\x99s\nimplementation of this Governmentwide mandate. Furthermore, the critical security\nbenefits of PIV may not be fully realized, and more important, interoperability among\nFederal agency PIV card programs (one of the major goals of HSPD-12) may not be\nachieved. Consequently, USAID needs to define required resources and plan how it will\nimplement PIV-II, including issuance of credentials to support physical and logical access\nto USAID facilities and systems.\n\nTherefore, the Office of Inspector General is making one recommendation to assist the\nAgency\xe2\x80\x99s implementation of HSPD-12:\n\n\n\n                                                                                                                      10\n\x0cRecommendation No. 1: We recommend that USAID\xe2\x80\x99s Chief Information\nOfficer develop and document an implementation plan for Personal Identity\nVerification Part II, and submit the plan to the Office of Management and\nBudget.\n\n\n\n\n                                                                            11\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nIn its response to the draft report, USAID agreed with the audit finding and the one\nrecommendation made in the report. The Agency outlined its plans to address the audit\nrecommendation and provided corrective action plans and target completion dates. As a\nresult, management decisions have been reached for recommendation no. 1.\n\nUSAID provided additional comments that were considered when finalizing this audit\nreport. To clarify the information in tables 1 and 2 from the draft report, item numbers 2\nand 4 were added (i.e., \xe2\x80\x9cIdentify and maintain the two types of documents\xe2\x80\xa6\xe2\x80\x9d and \xe2\x80\x9cStart\nissuance of identity credentials\xe2\x80\x9d). In addition, the recommendation was modified by\ndeleting the following second sentence: \xe2\x80\x9cIn developing this plan, consideration should be\ngiven to explore other options to implement Homeland Security Presidential Directive\n12.\xe2\x80\x9d\n\nUSAID\xe2\x80\x99s consolidated comments, which incorporate comments from the Office of the\nChief Information Officer and the Office of Security, are included in appendix II.\n\n\n\n\n                                                                                       12\n\x0c                                                                               APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThis audit was performed in accordance with generally accepted Government auditing\nstandards. The Office of Inspector General, Information Technology and Special Audits\nDivision performed this audit to determine whether USAID addressed selected\nrequirements of the Office of Management and Budget (OMB) and the National Institute of\nStandards and Technology (NIST) in implementing Homeland Security Presidential\nDirective 12 (HSPD-12) for Personal Identity Verification (PIV) of Federal employees and\ncontractors.\n\nAudit fieldwork was conducted between January and August 2007, primarily at USAID\nheadquarters in Washington, DC, and in Northern Virginia. The audit team met with\nDepartment of State (DoS) Diplomatic Security personnel and visited their data processing\nfacility in Northern Virginia, which supports the IDMS system that USAID uses.\n\nIn support of the audit objective, the audit team evaluated internal controls related to the\nimplementation of PIV-I and PIV-II requirements. The scope of work focused on USAID\nheadquarters employees and contractors, and covered the following areas:\n\n      \xe2\x80\xa2   Personal identity proofing processes\n      \xe2\x80\xa2   Memorandum of understanding between DoS and USAID for access and\n          use of IDMS assets\n      \xe2\x80\xa2   Federal identity credential issuance processes\n      \xe2\x80\xa2   HSPD-12 implementation planning\n      \xe2\x80\xa2   HSPD-12 information technology project prioritization and budgeting\n\nThe audit team evaluated whether the HSPD-12 project team had documented plans to\nphase in the use of Federal identity credentials to access Federal facilities and information\nsystems to meet selected OMB and NIST requirements and deadlines for selected HSPD-\n12 requirements (see methodology section below).\n\nAs of April 2007, USAID\xe2\x80\x99s HSPD-12 project team had obligated nearly $251,000 for the\npurchase of equipment and contractor support to implement HSPD-12.\n\nMethodology\nAs the framework for designing this audit, the audit team identified requirements primarily\nfrom HSPD-12, OMB\xe2\x80\x99s HSPD-12 implementation instructions issued in August 2005, 6 and\nNIST\xe2\x80\x99s Federal Information Processing Standards (FIPS) 201. From these documents, the\nteam judgmentally selected nine key requirements as a basis for evaluating USAID\xe2\x80\x99s\nprogress for implementing HSPD-12. They included four requirements within PIV-I and\nfive requirements within PIV-II. PIV-I selected requirements were (1) initiate national\nagency check with inquiry (NACI) investigations before credential issuance or alternate\ncheck, (2) maintain and identify the two types of documents used for employee and\n\n6\n    OMB Memorandum, M-05-24.\n\n\n                                                                                          13\n\x0ccontractor identity proofing, (3) complete background investigations for all current\nemployees and contractors with fewer than 15 years of service, and (4) complete\nbackground investigations for current employees and contractors with more than 15 years\nof service. PIV-II selected requirements were (1) issue identity credentials, (2) issue and\nrequire the use of identity credentials for all current employees and contractors with fewer\nthan 15 years of service, (3) issue and require the use of identity credentials for all current\nemployees and contractors with more than 15 years of service, (4) use the credentials\xe2\x80\x99\nelectronic security features to authenticate identities to gain physical access to facilities,\nand (5) use the credentials\xe2\x80\x99 electronic security features to authenticate identities to gain\nelectronic access to information systems.\n\nThe audit team evaluated whether each of the nine selected requirements was met on the\nbasis of HSPD-12, OMB, and NIST completion target dates and requirements.\nAdditionally, for requirements for which the completion target dates have not yet passed\nand which are likely not to be met, the team evaluated whether documentation (such as\nimplementation plans and rates of credential issuance) existed to determine whether\nrequirements could be completed by the target date. In reviewing the rates of credential\nissuance, the team assumed a constant rate based on historic rates of issuance and\nprojected that rate to future periods to determine whether the target could be met.\n\nThe audit team reviewed a prior Government Accountability Office (GAO) audit report,\nAgencies Face Challenges in Implementing New Federal Employee Identification\nStandard (dated February 2006); the Federal Identity Credentialing Committee\xe2\x80\x99s Federal\nIdentity Management Handbook; and applicable USAID documentation relating to\nplanning, budgeting, and implementation of HSPD-12 requirements. The team met with\nUSAID project team members from the Office of the Chief Information Officer and the\nOffice of Security. The team conducted a walk-through of the DoS facility housing the\nIdentity Management System servers and met with DoS staff involved with server\nadministration as well as DoS contacts used by USAID for HSPD-12 support efforts.\n\nTo test whether PIV-I and PIV-II procedure requirements were implemented to meet\nOMB\xe2\x80\x99s and NIST\xe2\x80\x99s FIPS 201 requirements, the audit team judgmentally selected a total of\n20 direct hire and contractor staff working at headquarters 7 who were issued new identity\ncredentials between October 27, 2006, and January 24, 2007. The team tested four\nattributes to determine whether the following steps were completed:\n\n    \xe2\x80\xa2   Two forms of ID were on file.\n    \xe2\x80\xa2   Background investigations were completed (including adjudication).\n    \xe2\x80\xa2   Federal Bureau of Investigation fingerprint check was completed and one\n        fingerprint card was on file.\n    \xe2\x80\xa2   Signed USAID form 500-1 (authorizing logical and physical access) was on\n        file.\n\nIn addition, the audit team tested management control processes associated with the\nreceipt, issuance, and storage of PIV-II cards. Owing to the importance of the vetting\nprocess, our noncompliance materiality threshold was set to one.\n\n\n7\n Out of the 30 judgmentally selected direct hires and contractors, 20 were issued PIV cards and 10\nwere issued Facility Access Cards.\n\n\n\n                                                                                               14\n\x0c                                                                           APPENDIX II\n\n\n\nMANAGEMENT\nCOMMENTS\n\n\nDecember 10, 2007\n\n\nMEMORANDUM\n\nTO:                 IG/A/ITSA, Melinda G. Dempsey\n\nFROM:               M/CIO, David Anewalt /s/\n\nSUBJECT: Audit of USAID\xe2\x80\x99s Implementation of Selected Homeland Security Presidential\nDirective 12 (HSPD-12) Requirements for Personal Identity Verification of Federal\nEmployees and Contractors (Audit Report No. A-000-08-00X-P)\n\nThank you for the opportunity to respond to the draft audit report. This memorandum\ncontains the management decision for the draft Audit of USAID\xe2\x80\x99s Implementation of\nSelected Homeland Security Presidential Directive 12 (HSPD-12) Requirements for\nPersonal Identity Verification of Federal Employees and Contractors (Audit Report No. A-\n000-08-00X-P).\n\nThe following are our management decision and corrective actions regarding the proposed\naudit recommendation:\n\nRecommendation No. 1: We recommend that USAID\xe2\x80\x99s Chief Information Officer\ndevelop and document an implementation plan for Personal Identity Verification Part II,\nand submit the plan to the Office of Management and Budget. In developing this plan,\nconsideration should be given to explore other options to implement Homeland Security\nPresidential Directive-12.\n\nThe Offices of the CIO and Security agree with the recommendation. We have prepared a\ndraft joint CIO and SEC HSPD-12 implementation plan and have summarized it below.\nWe plan to finalize this plan by June 2008. The successful implementation of HSPD-12 is\ndependent upon consistent and adequate funding, resource availability and top\nmanagement support. The HSPD Implementation plan will be flexible in order to respond\nto changing requirements, standards, guidelines and technology. The CIO will ensure that\nthe HSPD-12 requirements are met and will report our progress periodically to the OIG.\nWe plan to implement HSPD-12 requirements in four phases:\n\n\n\n\n                                                                                 15\n\x0cPhase I (CIO)\n\nPhase I is Personal Identity Verification (PIV) I and II compliance with\nbackground checks, enrollment (sponsorship, two forms of identification,\ndigital photograph, biometrics) and issuance of a compliant Federal ID\ncard. The Agency is almost 100% compliant with the objectives for\nbackground checks, enrollment and card issuance for new employees.\nThe target completion date for enrollment and card issuance for all current\nemployees and contractors working in USAID/Washington is June 2009.\n\nTarget completion date: June 2009 for USAID/Washington; June 2012 for\noverseas employees (dependent on DoS implementation)\n\nPhase II (SEC)\n\nPhase II consists of physical security upgrades necessary to enable\nphysical access to USAID/Washington using the new PIV card. The first\npart will consist of an upgrade to software of the current access control\nsystem and replacement card readers in order to use the PIV card for basic\nphysical access. The second part is to design and engineer a replacement\nof the current aging access control system. We will initiate planning for this\nproject when: 1) the Agency has made a final decision on whether to use\nthe DoS IDMS, purchase an independent IDMS which replicates data to\nDoS, or seek another alternative; 2) when funding becomes available for\nplanning/design, engineering, procurement and implementation of this\nproject and 3) the appropriate MOUs and/or agreements are reached with\nDoS.\n\nTarget completion date:      December 2010 - USAID/W; Overseas (not\napplicable)\n\nPhase III (may run concurrently with Phase IV) (CIO)\n\nPhase III will include desktop upgrades to use new PIV card with readers,\nbiometric data and encryption hardware to enable employees to use the\nnew credential for authentication and authorization (includes Public Key\nInfrastructure).\n\nTarget completion date: December 2013 - USAID/W; and December 2017\nUSAID Overseas\n\nPhase IV (CIO)\n\nPhase IV will address the feasibility of integrating the IDMS with related\nindependent systems (e.g., access control system for physical access,\nsystems used for logical access, HR system, personnel security databases,\netc.). The goal of this phase is to ensure that the IDMS (or other\ndesignated system) is the system of authority for data.\n\n\n\n\n                                                                                 16\n\x0c       Target completion date-: December 2013 USAID/W and December 2017\n       USAID Overseas\n\nSince the field work was completed, USAID has issued 1036 credentials. We now have\ntwo operational enrollment and issuance stations which has doubled our capacity to\nissue credentials. For FY08, the HSPD-12 program is slated for $1.80 million in capital\ninvestment funds. We requested $2.0 million in funding for the HSPD-12 program for\nFY2009. We have initiated a weekly USAID HSPD-12 Implementation group to monitor\nprogress and ensure coordination with Agency stakeholders. We have partnered with\nDoS (with OMB concurrence) and believe the partnership has already paid dividends by\nallowing USAID to:\n\n       \xe2\x80\xa2   Accelerate implementation timeframes;\n       \xe2\x80\xa2   Reduce implementation costs for HSPD-12 requirements;\n       \xe2\x80\xa2   Realize efficiencies in eliminating redundant infrastructure and;\n       \xe2\x80\xa2   Enhance Interoperability \xe2\x80\x93 Much easier to ensure interoperability across a\n           limited number of systems.\n\nIf you have questions or need additional information, please contract Shirl Hendley, M/CIO\nat 202-712-4704 or Lorrie Meehan, (SEC), 202-712-5338.\n\n\n\n\n                                                                                       17\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n            Tel: (202) 712-1150\n            Fax: (202) 216-3047\n            www.usaid.gov/oig\n\x0c'